IRS faulted for poor security of sensitive data

WASHINGTON - One more tax-season dread: A week before the filing deadline, Treasury watchdogs said yesterday that poor controls over IRS computers could allow a disgruntled employee, agency contractor, or outside hacker to steal taxpayers' confidential information.

Indeed, a hacker might even "gain full control of the IRS network," said a report from the office of the Treasury Inspector General for Tax Administration.

Investigators did not cite any specific cases of wrongdoing within the IRS, which processes some 137 million tax returns. But they suggested a lack of review means someone could get sensitive information and no one would ever know.

The report was released amid increasing scrutiny of the IRS and security concerns within the system and identity theft threats from outside:

•The independent IRS Oversight Board, in a report issued last month, outlined some $32 million in spending it said was needed to enhance IRS security. "Disrupting IRS returns processing and stealing sensitive information could wreak havoc on the economy and financial markets," it said.

•IRS Commissioner Douglas Shulman will testify before Congress on Thursday about scams in which people are fooled into revealing their Social Security numbers and other confidential data by e-mails and phone calls purported to be from the IRS. The tax agency said last month that taxpayers this year had forwarded to the agency 33,000 'phishing' scam e-mails reflecting more than 1,500 schemes.

Inside the IRS, yesterday's inspector general report dealt specifically with the thousands of routers and data switches that link networks and direct computer traffic among the tax agency's offices. It suggested that "an unscrupulous person could divert data traffic through a third-party system on its way to the intended destination."

In a statement yesterday, the IRS said it had "taken a number of steps to improve the control and monitoring of routers and switches. The IRS is not aware that any taxpayer data has been compromised due to a security breach. We continue to work to improve our security capabilities and we have extensive intrusion-monitoring capabilities to watch for potential breaches."

In January a congressional Government Accountability Office study prodded the IRS to fix dozens of information security weaknesses that left taxpayer records vulnerable.

There have been several information-security incidents concerning government agencies other than the IRS. Perhaps the biggest was two years ago when a computer hard drive with millions of names, Social Security numbers, and birth dates was stolen from a Veterans Affairs employee's home in Maryland. It was later recovered.